Access Server and IPv6 Support
Read this structured overview on Access Server's IPv6 support to understand capabilities.
Access Server primarily operates on IPv4 but offers partial support for IPv6. This topic explains how it works and links you to a tutorial with IPv6 configuration options.
IPv4 as the primary protocol
Access Server requires an IPv4 address to accept incoming VPN connections. Built on the robust OpenVPN core, Access Server fully supports IPv6 within the VPN tunnel. However, while the OpenVPN core also supports IPv6 at the transport layer, Access Server currently focuses on IPv4 for transport but continues to evolve with features that prioritize flexibility and performance across network environments. This means that clients cannot initiate VPN connections via IPv6 addresses directly.
IPv6 in the VPN tunnel
Access Server supports IPv6 at the tunnel layer. Once a VPN connection is established over IPv4, IPv6 traffic can be routed through the VPN tunnel. Another way of putting it: Access Server enables IPv6 packet transmission within an encrypted VPN tunnel, allowing clients to transport IPv6 data over a VPN session initiated by IPv4.
Key terminology:
Transport layer: The encrypted VPN packets exchanged between the client and server. These rely on IPv4 for Access Server.
Tunnel layer: The data transmitted within the VPN tunnel, which can be IPv4 or IPv6 packets.
Requirements for IPv6:
The Linux server hosting Access Server must have an IPv6 interface and a properly configured IPv6 default gateway.
A valid IPv6 address range should be selected for your VPN client assignments.
Example setups
Example 1: Public IPv6 address assignment
Assign public IPv6 addresses to VPN clients and provide direct access to the internet via IPv6.
Example 2: Private global address pool
Assign clients unique, local IPv6 addresses (equivalent to private IPv4) that aren't routable over the internet, but you can configure Source NAT (SNAT) to allow internet access.
Example 3: Private group-based IPv6 assignment
Assign separate IPv6 address pools to different user groups, enabling more granular control over client networking.
Use the following configuration keys to work with IPv6 in Access Server.
Configuration Key | Type | Description |
---|---|---|
vpn.routing6.enable | bool | Enable IPv6 routing. |
vpn.server.nat6 | bool | Enable IPv6 NAT. |
vpn.server.nat6.masquerade | bool | Enable IPv6 masquerade. |
vpn.client.routing6.reroute_gw | bool | Route all IPv6 traffic through the tunnel. |
vpn.server.daemon.vpn_network6 | list of subnets | Default IPv6 VPN subnets to be subdivided among OpenVPN daemons: These are used by clients as VPN routing gateways and allocated to non-group clients. |
vpn.client.routing6.inter_client | bool | Enable client-to-client IPv6 traffic. |
vpn.server.routing6.private_access | string | Controls how to route private traffic:
|
vpn.server.routing6.gateway_access | bool (default=true) | If true, clients may access the server-side tun gateway IPv6 address. |
vpn.server.routing6.allow_private_nets_to_clients | bool | If true, all IPv6 addresses in vpn.server.routing6.private_network will be allowed to initiate client connections. |
vpn.server.routing6.private_network | list of subnets | Access granted to private server-side subnets. |
vpn.server.routing6.incoming_network | list of subnets | IPv6 addresses within this range may initiate connections with VPN clients. |
vpn.server.routing6.routed_subnets | list of subnets | Subnets that should be routed rather than NATed (when NAT is enabled). |
vpn.server.group_pool6 | list of subnets | Optional pool of VPN IPv6 addresses to be subdivided across groups that don't define group_subnets6 or group_range6. |
vpn.server.routing6.snat_source | list of SNA spec strings | This defines how to perform Source Network Address Translation (SNAT) for outgoing IPv6 packets. When NAT is enabled, SNAT ensures that VPN client traffic uses a specific IPv6 address or range for outgoing traffic. Specify a range of IPv6 addresses for SNAT on each outgoing network interface. |
vpn.server.custom_snat6_chain | string | Define a custom ip6tables chain to handle all outgoing NAT. |